From ada3b11a742a79697803125199654b6858d830b7 Mon Sep 17 00:00:00 2001 From: Carita Ndibe Date: Wed, 15 Apr 2026 02:08:14 +0100 Subject: [PATCH 1/5] zizmor fixes --- .github/workflows/deploy.yml | 24 +++++++++++++++++++----- .github/workflows/test.yml | 14 +++++++++++++- 2 files changed, 32 insertions(+), 6 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index a4c40253..834c5120 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -6,30 +6,44 @@ on: branches: - master +# Limit concurrent workflow runs to prevent resource conflicts and ensure clean deployments +concurrency: + group: pages + cancel-in-progress: false + +# Default permissions for all jobs - minimal access +permissions: {} + jobs: build: + name: Build site env: MDBOOK_VERSION: 0.5.1 RUN_BLACKSMITH: 1 runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + # Checkout repository without persisting credentials to reduce attack surface + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: Install mdbook run: curl -sSL https://github.com/rust-lang/mdBook/releases/download/v${MDBOOK_VERSION}/mdbook-v${MDBOOK_VERSION}-x86_64-unknown-linux-gnu.tar.gz | tar -xz - name: Build book run: ./mdbook build - name: Upload artifact - uses: actions/upload-pages-artifact@v4 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 with: path: ./book/html deploy: + name: Deploy to GitHub Pages if: github.repository_owner == 'rust-lang' needs: build + # Required permissions for GitHub Pages deployment permissions: - pages: write - id-token: write + pages: write # Required to deploy to GitHub Pages + id-token: write # Required for OIDC authentication with GitHub Pages service environment: name: github-pages @@ -38,4 +52,4 @@ jobs: runs-on: ubuntu-latest steps: - id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 227550f5..73d69644 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,6 +2,15 @@ name: Test on: pull_request: +# Cancel in-progress runs for the same PR to save resources +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +# Minimal permissions for testing +permissions: + contents: read + jobs: test: name: test @@ -11,7 +20,10 @@ jobs: MDBOOK_OUTPUT__LINKCHECK__WARNING_POLICY: error RUN_BLACKSMITH: 1 steps: - - uses: actions/checkout@v4 + # Checkout repository without persisting credentials to reduce attack surface + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: Install mdbook run: curl -sSL https://github.com/rust-lang/mdBook/releases/download/v${MDBOOK_VERSION}/mdbook-v${MDBOOK_VERSION}-x86_64-unknown-linux-gnu.tar.gz | tar -xz - name: Install mdbook-linkcheck2 From aa0675043079ce65527a40980295b8b4f48f2a5d Mon Sep 17 00:00:00 2001 From: Carita Ndibe Date: Wed, 15 Apr 2026 02:17:04 +0100 Subject: [PATCH 2/5] fixed zizmor errors/warnings and added a new GitHub Action that prevents zizmor issues from happening again --- .github/workflows/zizmor.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..0bee6518 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,36 @@ +name: Security Audit with zizmor + +on: + push: + branches: [master] + paths: + - '.github/workflows/**' + pull_request: + branches: [master] + paths: + - '.github/workflows/**' + +# Cancel in-progress runs for the same PR to save resources +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +# Minimal permissions for auditing +permissions: + contents: read + +jobs: + zizmor: + name: Run zizmor security audit + runs-on: ubuntu-latest + steps: + # Checkout repository without persisting credentials to reduce attack surface + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + + - name: Install zizmor + run: cargo install zizmor + + - name: Run zizmor audit + run: zizmor --persona pedantic --min-severity low .github/workflows From a55976185f7719abb3f2665b03269f738e823424 Mon Sep 17 00:00:00 2001 From: Carita Ndibe Date: Wed, 15 Apr 2026 02:49:48 +0100 Subject: [PATCH 3/5] Fix zizmor CI workflow to use pre-built binary instead of cargo install --- .github/workflows/zizmor.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 0bee6518..750f50af 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -30,7 +30,10 @@ jobs: persist-credentials: false - name: Install zizmor - run: cargo install zizmor + run: | + curl -sSL https://github.com/woodruffw/zizmor/releases/download/v1.24.1/zizmor-x86_64-unknown-linux-gnu.tar.gz | tar -xz + chmod +x zizmor + sudo mv zizmor /usr/local/bin/ - name: Run zizmor audit run: zizmor --persona pedantic --min-severity low .github/workflows From 89e0f5c0ac7672ae1b003ccbeb34c7ff796ccdbf Mon Sep 17 00:00:00 2001 From: Carita Ndibe Date: Wed, 15 Apr 2026 10:23:32 +0100 Subject: [PATCH 4/5] Updates all GitHub Actions workflows to use the latest checkout action version (v6) with pinned commit SHA. --- .github/workflows/deploy.yml | 2 +- .github/workflows/test.yml | 2 +- .github/workflows/zizmor.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 834c5120..1996ad30 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-latest steps: # Checkout repository without persisting credentials to reduce attack surface - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Install mdbook diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 73d69644..b5ed25b9 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,7 +21,7 @@ jobs: RUN_BLACKSMITH: 1 steps: # Checkout repository without persisting credentials to reduce attack surface - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Install mdbook diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 750f50af..863414f2 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -25,7 +25,7 @@ jobs: runs-on: ubuntu-latest steps: # Checkout repository without persisting credentials to reduce attack surface - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false From 55a335da8189bd9c33b41e9fb3e4c83cceb6754d Mon Sep 17 00:00:00 2001 From: Carita Ndibe Date: Wed, 15 Apr 2026 14:53:44 +0100 Subject: [PATCH 5/5] updated actions to latest version --- .github/workflows/deploy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 1996ad30..452c5c2b 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -31,7 +31,7 @@ jobs: - name: Build book run: ./mdbook build - name: Upload artifact - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5 with: path: ./book/html @@ -52,4 +52,4 @@ jobs: runs-on: ubuntu-latest steps: - id: deployment - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5